CVE-2022-33886

CVSS V2 None CVSS V3 High 7.8

Description

A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023, 2022, 2021, 2020, and Maya 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. A malicious actor could leverage this vulnerability to execute arbitrary code.

Overview

CVE ID
CVE-2022-33886

Assigner
psirt@autodesk.com

Vulnerability Status
Modified

Published Version
2022-10-03T15:15:17

Last Modified Date
2023-04-17T21:15:07

Weakness Enumerations

CWE	URL
CWE-755	http://cwe.mitre.org/data/definitions/755.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:autodesk:autocad::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_advance_steel::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_advance_steel::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_architecture::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_architecture::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_civil_3d::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_civil_3d::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_electrical::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_electrical::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_lt::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_lt::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_map_3d::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_map_3d::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_mechanical::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_mechanical::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_mep::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_mep::::::::	1	OR	2023	2023.1.1
cpe:2.3:a:autodesk:autocad_plant_3d::::::::	1	OR	2022	2022.1.3
cpe:2.3:a:autodesk:autocad_plant_3d::::::::	1	OR	2023	2023.1.1

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
LOCAL

Attack Compatibility
LOW

Privileges Required
NONE

User Interaction
REQUIRED

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
7.8

Base Severity
HIGH

Exploitability Score
1.8

Impact Score
5.9

References

Reference URL	Reference Tags
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2022-33886
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33886

History

Created	Old Value	New Value	Data Type	Notes
2022-10-03 16:00:13				Added to TrackCVE
2022-12-07 05:28:55	2022-10-03T15:15Z	2022-10-03T15:15:17	CVE Published Date	updated
2022-12-07 05:28:55		2022-10-05T19:12:39	CVE Modified Date	updated
2022-12-07 05:28:55		Analyzed	Vulnerability Status	updated
2023-04-17 22:03:22		2023-04-17T21:15:07	CVE Modified Date	updated
2023-04-17 22:03:22	Analyzed	Modified	Vulnerability Status	updated
2023-04-17 22:03:22	A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.	A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023, 2022, 2021, 2020, and Maya 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. A malicious actor could leverage this vulnerability to execute arbitrary code.	Description	updated